Revolut Payments UAB 2023: $4M Enforcement Action

What happened?

Revolut Payments UAB is Revolut's Lithuanian entity, authorized as an e-money institution by the Bank of Lithuania. It holds passport rights across the European Economic Area. Through this single licensed entity, Revolut can serve millions of customers in EU member states, making the UAB a critical part of the group's European operations.

In October 2023, the Bank of Lithuania announced a fine of approximately €3.5 million against Revolut Payments UAB. According to the Bank of Lithuania's press release, the penalty followed supervisory examinations that identified deficiencies in the company's AML and counter-terrorist financing (CTF) compliance framework. The Bank of Lithuania cited violations of Lithuania's Law on the Prevention of Money Laundering and Terrorist Financing (LPMLTF), which transposes EU AML directives into national law.

The supervisory process was consistent with standard Bank of Lithuania practice. Under its supervisory mandate, the regulator conducts both on-site and off-site inspections of licensed payment and e-money institutions to assess whether their AML programs meet statutory requirements and are proportionate to their risk profiles.

Revolut's rapid customer growth in the years before the fine had created real scaling pressure on its compliance function. By the time of the fine, the company served tens of millions of customers across Europe. The Bank of Lithuania's action was the most visible formal regulatory consequence for the UAB entity at that time, though Revolut was simultaneously navigating scrutiny from regulators in other jurisdictions, including ongoing UK banking license proceedings.

What did regulators say?

The Bank of Lithuania stated in its press release that Revolut Payments UAB had violated obligations under the LPMLTF. Regulators characterized the failures as systemic rather than isolated. An institution processing Revolut's transaction volumes is expected, under both Lithuanian law and EU AML directives, to invest in controls proportionate to that scale. According to the announcement, the company's program fell short of that standard.

The Bank of Lithuania has enforcement authority under the LPMLTF and the Law on Financial Institutions to impose administrative sanctions on licensed e-money institutions. The €3.5 million penalty was among the more substantial fines the regulator had issued to a licensed payment institution at that time.

The regulator's framing, according to the official announcement, emphasized that an AML program must be adequate, documented, and actually applied in practice. A program that exists on paper but lacks the staff, processes, and oversight to function is not a compliant program. The Bank of Lithuania alleged that Revolut Payments UAB's framework failed those criteria.

No individual employees or officers faced penalties under the public announcement. The fine was imposed on the entity.

What controls failed?

The Bank of Lithuania's findings pointed to deficiencies across three core AML control areas.

Customer due diligence was central. Under FATF Recommendation 10 and the EU AML framework, financial institutions must verify customer identity before establishing a business relationship, understand the customer's activity and purpose, and apply enhanced measures for higher-risk relationships. Revolut's digital-first onboarding model processes new accounts rapidly. The controls applied to that process were, according to regulators, insufficient for the risk. A low-friction onboarding model is only defensible when the identity verification beneath it is genuinely reliable.

Transaction monitoring was the second area. High-volume payment platforms generate large numbers of alerts. When the staff and tooling available to investigate those alerts don't match the volume, backlogs build and genuine suspicious activity is missed or reported late. Regulators found Revolut's monitoring capabilities did not match the complexity and scale of its transaction flows.

FATF Recommendation 11 on record-keeping was also implicated. Complete, retrievable documentation of CDD decisions and transaction records is both a compliance obligation and an evidentiary one. Where records are incomplete, the institution can't demonstrate to a regulator that controls were applied at all.

Governance was a compounding factor. AML program failures at fintechs frequently trace back to a growth period during which compliance headcount was deprioritized relative to product and engineering. The result is a program that reads as adequate but lacks the staff, escalation paths, and senior oversight to function under pressure. The European Banking Authority's guidance on AML/CFT risk factors specifically addresses governance structures proportionate to an institution's risk profile. Revolut's program, regulators alleged, didn't meet that bar.

Which regulations were violated?

The Bank of Lithuania imposed the fine under Lithuania's LPMLTF, the national legislation implementing EU AML directives. By October 2023, the operative EU framework incorporated the Fifth and Sixth Anti-Money Laundering Directives.

6AMLD, established through Directive 2018/1673/EU, extended criminal liability provisions for money laundering, added new predicate offenses, and strengthened cross-border cooperation requirements. For an e-money institution operating across multiple EU jurisdictions via passport rights, compliance means the AML obligations apply wherever the passport is exercised. You can't run a looser program in Lithuania because most of your customers are elsewhere in the EEA.

FATF Recommendation 20 requires prompt filing of suspicious transaction reports when there are reasonable grounds to suspect money laundering or terrorist financing. Delays in STR filing are among the most common enforcement findings across jurisdictions, and they carry direct law enforcement consequences. The FATF 40 Recommendations form the international baseline that EU AML directives are built on, and both are fully transposed into the LPMLTF.

FATF Recommendation 15 addresses ML/TF risks from new technologies and business models, including digital payment platforms and e-money services. It requires institutions to assess and manage those risks before launching new products. For a company expanding Revolut's product breadth at Revolut's pace, that's a continuous obligation, not a one-time exercise.

The EU AMLR, adopted in 2024, codifies many of the same requirements as directly applicable EU regulation, removing transposition variation that national laws like the LPMLTF historically introduced.

Which typologies were involved?

The control failures in this case created exposure to several typologies common to high-volume digital payment platforms.

Synthetic identity fraud is the natural corollary of weak CDD at scale. When automated onboarding can be passed with fabricated or misrepresented identity documents, bad actors open accounts in bulk. Those accounts receive, move, and extract funds through the institution's own infrastructure. Without adequate ongoing monitoring, they're difficult to distinguish from genuine users until law enforcement requests make the pattern visible.

Payment structuring is another predictable risk. Criminals who understand monitoring thresholds design their activity to stay beneath them: multiple smaller transactions across accounts and institutions that combine to move substantial sums. Where monitoring rules are static or poorly calibrated to current transaction patterns, structuring goes undetected for months.

EU Transfer of Funds Regulation requirements mean cross-border transfers must carry complete originator and beneficiary information. E-money institutions processing high volumes of EEA-wide payments face real practical challenges in ensuring that information is accurate and present for every transaction. When it's missing, those transfers are harder to screen against sanctions lists and PEP databases, and the quality of STR filings degrades.

We've seen compliance teams at peer fintechs discover that their alert logic was calibrated for a customer base they had two product generations ago. The product has expanded, the customer mix has changed, and the monitoring rules haven't kept up. That's when typology exposure becomes enforcement exposure.

Aftermath and remediation

After the October 2023 fine, Revolut Payments UAB remained under active supervisory oversight from the Bank of Lithuania. Standard practice following an AML enforcement action requires the institution to produce a remediation plan agreed with the regulator. These plans set out specific actions, timelines, and senior ownership for addressing each identified deficiency.

Revolut's wider regulatory position in late 2023 was complex. The company had been waiting for a UK banking license from the Prudential Regulation Authority (PRA) for several years. That process involved detailed scrutiny of Revolut's compliance framework across all group entities. The Bank of Lithuania fine formed part of the regulatory record that UK authorities were examining.

Revolut received its UK banking license in July 2024. The license came after extensive changes to the company's compliance function across the group. In the period before the license was granted, Revolut made a series of senior compliance hires and invested heavily in its financial crime infrastructure.

The Lithuanian fine didn't produce public disclosures about leadership changes at the UAB entity specifically. Revolut's public response acknowledged the Bank of Lithuania's findings and stated the company was working to address the identified deficiencies.

For peer e-money institutions across the EEA, the action was a clear signal: the Bank of Lithuania intends to use its enforcement powers against high-volume fintechs when AML programs don't match risk exposure, and supervisory patience has limits.

Lessons for other institutions

The single most transferable takeaway is that an AML program must scale with the business, not trail it by eighteen months.

Revolut's compliance challenges were not unusual for a company growing at that pace. The problem is that pace of growth is not a regulatory defense. The Bank of Lithuania doesn't accept capacity constraints as an explanation for transaction monitoring gaps when the institution is processing tens of millions of transactions a month.

For compliance teams at peer institutions, here's what to check.

Are your transaction monitoring thresholds calibrated to your current customer mix and transaction volumes? Stale thresholds generate the wrong alerts and miss the right ones. A calibration review that happened two years ago isn't a calibration review.

Is your STR/SAR filing backlog under control? If your team is generating more alerts than it can investigate within the timeframes your regulators expect, that's a resource problem. It needs a headcount or tooling decision, not a process memo.

Is your CDD documentation complete for your existing customer base, not just for new onboarding? Re-papering exercises are expensive and disruptive. Finding that records are missing during a supervisory inspection is worse.

Does your board receive regular AML reporting with concrete metrics: alert volumes, investigation timelines, filing rates, and escalation outcomes? If compliance challenges aren't visible at board level, the resourcing decisions won't get made.

For any institution holding EEA passport rights: the AML obligation travels with the passport. Your primary regulator's tolerance doesn't extend to host jurisdictions where local rules apply.

How FluxForce helps prevent similar failures

The control failures here map directly to FluxForce agent capabilities. Nova Sentinel monitors transaction behavior in real time. It applies behavioral analytics across the full account population to detect structuring, anomalous payment patterns, and velocity anomalies that static rule-sets miss at scale. Aiden Flux handles CDD end-to-end: risk scoring, enhanced due diligence triggers, and ongoing monitoring throughout the customer lifecycle. Every agent decision produces a full evidence trail for regulatory examination. Automated STR drafting reduces filing time from days to hours. Talk to us about a demo.